There are many possible avenues, access policies and service misconfigurations leading to data exposure when managing and protecting workloads in IaaS environments.
According to recent statistics, as many as 7% of all S3 servers are completely publicly accessible without any authentication and 35% are unencrypted. And if the incidents of the past six months or so are any indication, these aren’t low-value data stores.
The challenge is, governing who or what can access cloud-based workloads while in rest or transit needs to be different than the way you’ve been governing identities and data in on-premises environments. Because these environments are different, you could be opening your critical applications and data to hackers, which results in the plethora of data hacks we see today.
National Credit Federation – December 2017
Data Exposed: 111GB of detailed financial information–including full credit reports–about 47,000 people. This credit repair service put the financial lives of tens of thousands of customers at grave risk when it left extremely detailed financial information publicly available on an S3 bucket.
Alteryx – December 2017
Data Exposed: Personal information about 123 million American households
The Lowdown: This marketing and analytics company, which sells data aggregation and analytics for marketing purposes, put sensitive data at risk for the majority of American households.
Despite the significant efforts from the cloud providers in creating awareness of the “shared responsibility model”, providing security controls and trainings, the leaks continue and the damage with each leak is growing in leaps and bounds. Unfortunately, the cloud industry lacks a sustainable solution for identifying root causes and automated policy-driven remediation.
What’s more, finding the root causes that lead to data leaks costs organizations millions each year in paid consulting services and failed audit fees.
When you think cloud, it’s so easy to stand up working environment. Which means, it’s easy to create an insecure environment and lose control, especially as it relates to cost and security. And because developers are responsible for building, managing and deploying workloads to the cloud, the responsibility for securing these environments to ensure security and compliance has shifted to developers. Therefore, the term “shift left” is so ubiquitous today in tech discussion.
At Saviynt, we help organizations using DevOps processes ensure the code used to stand-up workloads cloud-based infrastructure is monitored and managed to prevent inadvertent mistakes made by developers coding the access calls to databases and other connected services for the workloads to work in a secure and compliant way.
In this recording of Vibhuti Sinha’s presentation at ChefCon 2018, he recommends organizations prioritize how to tackle this challenge by focusing on these three preventative areas to light the path for DevOps shops to see what bug fixes and updates are required to truly ensure the access policies and controls in your IaaS workloads are compliant to the principle of least privilege.
Visibility
To see is to know. Learning is how we understand the changes needed for correction. Just as your DevOps teams use workflow visibility tools that help them ensure the quick pace of the software development culture doesn’t manifest a giant string of fluffy, buggy yarn that kids will have a ball with for generations, Saviynt recommends enabling greater visibility via a unified dashboard that intelligently and uses access and use activity of infrastructure workloads in order to detect and correct areas of potential risk.
Identity Governance Administration
In Chef, the new code, if a variant from the norm, becomes the new norm. It’s called Chef for a reason. The great chefs of our time are well known for combining interesting flavors from the spices of multiple continents into something crunchy and delicious that is plated in new and interesting shapes and colors for the pallet. Similarly, code building in cloud environments uses Chef-like tools to foster similar, unique and creative ways to spin-up plates and bytes of object-oriented code delivered as a service to the ever-hungry business that needs to compete and survive in a fast-paced global economy. At the same time, a Chef also must manage the lifecycle of identities within the ecosystem of a restaurant, from kitchen staff to the patrons. The work from end-to-end requires each role to perform distinct, rote tasks for food prep. The server staff calls and picks up orders on demand. And the patrons of the restaurant order food while declaring what they can/can’t eat based on diet or allergies.
Privileged Access Management
If you don’t get what you ordered, you get served another one until it’s just right. From end-to-end, DevOps pros need to include and respect the concepts around role governance, role design, mining, and provisioning in both federated and non-federated environments to ensure access governance best-practices are cooked within the meal at the right time, assembled on the right plate, and picked up to serve when all the guests are ready to consume. Mastery over a good kitchen is mastery of DevOps processes from end-to-end. Everyone is in their station, and no one should have more authority or given more than what they are assigned. A kitchen chef knows the team members have grand ideas and capabilities, but for what is to be delivered in that master’s restaurant environment, privileges are restrained intentionally to enable a stable workflow, so accidents don’t happen. Tools enabling a console to see workflow, including how APIs, CLIs, call for workloads that are fit for purpose using only the ingredients required. Privileged accounts have the power to call for more than what was ordered. Often the result is a separation of duty violation or leaving business critical assets exposed to the threats from hijackers and hackers.
Practical guidance is available from Saviynt on more granular ways to build governance into your cloud environments in this YouTube video and this blog post. Also, check out Saviynt’s Infrastructure-as-a-Service solution that offers pre-configured governance capabilities in one-click, easy to consume services for your cloud environments.
